Researchers Reveal New Trick of Hackers to Disable Macro Security Warnings in Malicious Office Files

Hackers are getting way smarter these days and every time coming up with a new plot to carry out malicious acts. Why we saying this is because the latest revelation in the data security world has left the experts agape.

Typically, the norm for phishing campaigns involves distributing weaponized Microsoft Office documents that prompt victims to enable macros in order to activate the taint chain directly. But the latest discovery has indicated attackers using non-malicious documents to disable security warnings before executing macro code to infect target computers.  

Malware authors have once again advanced their technique to evade detection. Researchers from McAfee Labs have come across a novel tactic that reportedly involves downloading and executing malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro.

McAfee says that the distribution of ZLoader infections using this mechanism has been primarily reported in the U.S., Canada, Spain, Japan, and Malaysia. The malware, a descendant of the infamous Zeus banking Trojan, is well known for aggressively using macro-enabled Office documents as an initial attack vector to steal credentials and personally identifiable information from users of targeted financial institutions.

While investigating the invasions, the researchers discovered that the infection chain started with a phishing email comprising a Microsoft Word document attachment. That attached document file when opened, downloaded a password-protected Microsoft Excel file from a remote server. However, here’s an important thing worth noting, macros need to be enabled in the Word document to trigger the download itself.

"After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions," the researchers from McAfee Labs said. "Once the macros are written and ready, the Word document sets the policy in the registry to 'Disable Excel Macro Warning' and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe."

Due to the "significant security risk" posed by macros, the feature is usually disabled by default. But this countermeasure has had an unfortunate side-effect; prompting threat actors creating compelling social engineering lures to trick victims into enabling them. By turning off the security warning displayed to the target user, the attacks become prominent because of the steps it takes to impede detection and stay under the radar.

"Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads," the researchers. "Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads."

How We Can Help
Webmobril Technologies is a leading cybersecurity services provider in India that offer comprehensive solutions for data privacy and protection. We uncover the risks before others could discover them and bridge all the security gaps to make your crucial data and organization secure. Having a team of industry experts and using the latest tools and technologies, we provide overarching security with trusted compliance and risk program advice.